spindle/xrpc/remove_secret.go at c0cf6911f13a6bc603579bfc86c06145d288f1b5 · tangled.org/core

Monorepo for Tangled tangled.org

core / spindle / xrpc / remove_secret.go

at c0cf6911f13a6bc603579bfc86c06145d288f1b5 2.4 kB View raw

Lewis spindle: key repos and collabs on repoDID 6w ago

 1package xrpc
 2
 3import (
 4	"encoding/json"
 5	"fmt"
 6	"net/http"
 7
 8	"github.com/bluesky-social/indigo/api/atproto"
 9	"github.com/bluesky-social/indigo/atproto/syntax"
10	"github.com/bluesky-social/indigo/xrpc"
11	"tangled.org/core/api/tangled"
12	"tangled.org/core/rbac"
13	"tangled.org/core/spindle/secrets"
14	xrpcerr "tangled.org/core/xrpc/errors"
15)
16
17func (x *Xrpc) RemoveSecret(w http.ResponseWriter, r *http.Request) {
18	l := x.Logger
19	fail := func(e xrpcerr.XrpcError) {
20		l.Error("failed", "kind", e.Tag, "error", e.Message)
21		writeError(w, e, http.StatusBadRequest)
22	}
23
24	actorDid, ok := r.Context().Value(ActorDid).(syntax.DID)
25	if !ok {
26		fail(xrpcerr.MissingActorDidError)
27		return
28	}
29
30	var data tangled.RepoRemoveSecret_Input
31	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
32		fail(xrpcerr.GenericError(err))
33		return
34	}
35
36	// unfortunately we have to resolve repo-at here
37	repoAt, err := syntax.ParseATURI(data.Repo)
38	if err != nil {
39		fail(xrpcerr.InvalidRepoError(data.Repo))
40		return
41	}
42
43	// resolve this aturi to extract the repo record
44	ident, err := x.Resolver.ResolveIdent(r.Context(), repoAt.Authority().String())
45	if err != nil || ident.Handle.IsInvalidHandle() {
46		fail(xrpcerr.GenericError(fmt.Errorf("failed to resolve handle: %w", err)))
47		return
48	}
49
50	xrpcc := xrpc.Client{Host: ident.PDSEndpoint()}
51	resp, err := atproto.RepoGetRecord(r.Context(), &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String())
52	if err != nil {
53		fail(xrpcerr.GenericError(err))
54		return
55	}
56
57	repoRec, ok := resp.Value.Val.(*tangled.Repo)
58	if !ok {
59		fail(xrpcerr.RepoNotFoundError)
60		return
61	}
62	if repoRec.RepoDid == nil || *repoRec.RepoDid == "" {
63		fail(xrpcerr.GenericError(fmt.Errorf("repo record %s has no repoDid", repoAt)))
64		return
65	}
66	repoDid := *repoRec.RepoDid
67
68	if ok, err := x.Enforcer.IsSettingsAllowed(actorDid.String(), rbac.ThisServer, repoDid); !ok || err != nil {
69		l.Error("insufficient permissions", "did", actorDid.String())
70		writeError(w, xrpcerr.AccessControlError(actorDid.String()), http.StatusUnauthorized)
71		return
72	}
73
74	secret := secrets.Secret[any]{
75		Repo: secrets.RepoIdentifier(repoDid),
76		Key:  data.Key,
77	}
78	err = x.Vault.RemoveSecret(r.Context(), secret)
79	if err != nil {
80		l.Error("failed to remove secret from vault", "did", actorDid.String(), "err", err)
81		writeError(w, xrpcerr.GenericError(err), http.StatusInternalServerError)
82		return
83	}
84
85	w.WriteHeader(http.StatusOK)
86}

Configure Feed

Configure Feed